42 Phony Google Play Apps Delivered Adware: Report

Some 42 apps that were available in the Google Play store had been delivering adware to Android devices for about a year, according to the security firm ESET. In the 12-month period starting in July 2018, these apps were downloaded about 8 million times to Android devices around the world, the researchers say.

Although the Google security team has removed all the apps from the Google Play store, ESET found that many are still available in third-party app stores.

Once downloaded, these apps connect to a command-and-control server and deliver unwanted advertising to a user's Android device at certain intervals, generating income on ad views for the fraudsters, the researchers say. In addition, the malware collects details and data from these devices and then sends that back to the adware developers, the report notes.

The information collected includes device type, the version of Android running, language, number of installed apps, free storage space, battery status, whether the device is rooted and "developer mode" is enabled, and whether Facebook and Facebook Messenger are installed, the researchers say.

The data collected could be used to help deliver other types of malware, the researchers say.

By using open source information and investigating the IP address of the command-and-control server, the ESET researchers traced these malicious apps back to a former Vietnamese college student, the report notes. ESET did not name the individual, but the analysts note they also found the former student's GitHub page, where he advertised himself as an Android developer.

The ESET researchers say that they found similar apps in the Apple App Store created by the same developer, although it did not appear that these apps had the same adware function, the report shows.

Bypassing Security

The adware that ESET discovered uses several tactics and techniques to make sure it remains undetected, the research shows.

After one of these apps is downloaded, it first runs a test to check if the device is being tested by the Google Play security mechanism. Once the test result comes negative, the adware sets a time delay to start displaying advertisements, the research shows. This helps make sure that the user does not associate the particular app with the unwanted advertisements, researcher say.

Apps hiding adware on the Google Play store (Source: ESET)

At the same time, the app connects to the command-and-control server and begins sending data back to the developer who created it.

To ensure that the adware continues to run, the malicious app also hides its icon and creates a shortcut instead, according to the researchers. "If a typical user tries to get rid of the malicious app, chances are that only the shortcut ends up getting removed. The app then continues to run in the background without the user's knowledge," the researchers note.

This type of adware takes advantage of victims of who might download apps and then not check what's going on in the background of their smartphone or other device, security experts say.

"This is a great example of an upstream or side-channel attack. We trust any software that gives us functionality and ignore what else the software might be doing," says Thomas Hatch, CTO at SaltStack, which offers cloud and security configuration tools. "This addiction to functionality is pushing an ever-widening gap between secure and safe computing and the never-ending barrage of new apps. This type of attack is in full swing today and the issue continues to grow."

Adware Increasing

In September, security firm AdSecure released a study that found adware increased a staggering 4,000 percent from the first quarter to the second quarter of 2019. Many of these adware campaigns go undetected for long periods of time, and cybercriminals are using the malware for more than delivering annoying ads. Many times, adware is used to spy on people or as part of a cryptomining scheme, the AdSecure report notes.

About the Author

Venkat is special correspondent for Information Security Media Group's global news desk. She has previously worked at companies such as IDG and Business Standard where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news and education.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;